The Hacker News — Cyber Security, Hacking, Technology News

Today, Oracle has released its quarterly Critical Patch Update (CPU) for the month of July, as part of its monthly security bulletin, in which it fixes a total of 113 new security vulnerabilities for hundreds of the company’s products.

The security update for Oracle’s popular browser plug-in Java addresses 20 vulnerabilities in the software, all of which are remotely exploitable without authentication, that means an attacker wouldn't need a username and password to exploit them over a network.

MOST CRITICAL ONE TO PATCH FIRST

Oracle uses the Common Vulnerability Scoring System (CVSS) to provide an open and standardized rating of the security holes it finds in its products. One or more of the Java vulnerabilities received the most “critical” rating according to Oracle’s Common Vulnerability Scoring System (CVSS), i.e. base score of 10 or near.

Although, numerous other Oracle products and software components addressed in the latest security updates, which address around 29 vulnerabilities in Oracle Fusion Middleware out of which 27 enable remote code execution, seven vulnerabilities in Hyperion products and five apiece for Oracle database and E-Business Suite. But, Java was the only impacted with security issues scoring the highest critical rating.

So, Java patches are the most urgent and should be at the top of your list, as one of the Java SE vulnerabilities (CVE-2014-4227) in this patch update, scores ten out of ten in the common vulnerability rating system, and seven of the other Java SE client vulnerabilities received a CVSS score of 9.3.

Oracle Database Server will also be updated for five vulnerabilities, one of which is remotely exploitable, while there will be 10 patches released for MySQL Server, but none of them are remotely exploitable.

JAVA WILL CONTINUE TO SUPPORT WINDOWS XP

The company recently announced that it would no longer support Java on Windows XP, though it expect Java 7 to continue to work on Windows XP platform and Oracle security updates for Java on XP machines will continue.

“This end of support announcement has been misread as ‘Java no longer works on Windows XP’ or ‘Oracle will stop Java updates from being applied on Windows XP.’ These statements are not correct,” said Oracle vice-president of product management in the Java Platform Group Henrik Stahl.

“We expect all versions of Java that were supported prior to the Microsoft de-support announcement to continue to work on Windows XP for the foreseeable future. In particular, we expect that JDK 7 will continue to work on Windows XP.”

However, Java 8 is not designed even to install on Windows XP operating system. So, the installer for the developer releases of Java 8 will not run on it without manual intervention.

PATCH OR SIMPLY DISABLE JAVA?

Java runs on more than 850 million personal computers and on
billions of devices worldwide, therefore protecting against Java
zero-day exploits is a rising concern among millions of Windows, Mac OS,
and Linux users.

Security experts recommend not installing Java if you don't
already have it, and perhaps even disable it if you have it if you do
not regularly use an application or visit any Web site that requires
Java.

UPDATE YOUR SYSTEMS NOW

The company is urging its customers to update their systems as soon as possible. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible," the firm warned.

To demonstrate the attack, Alexander showed how to send an unauthorized email via SMTP (Simple Mail Transfer Protocol) in an FTP connection attempt, even though the FTP connection failed, as FTP servers does support authentication, but doesn't check for the present of carriage returns (CR) or line feeds (LF) in usernames.

"This attack is particularly interesting in a scenario where you can reach an (unrestricted, maybe not even spam- or malware-filtering) internal mail server from the machine doing the XML parsing," Alexander concluded.

Java/Python FTP Injections Allow to Bypass Firewall

However, two days later in a separate security advisory, security researcher Timothy Morgan from Blindspot Security came forward with his findings, showing more threatening exploitation scenario where the FTP URL handlers in both Java and Python can be used to bypass firewalls.

Morgan said such FTP protocol injection flaw could be used to trick a victim's firewall into accepting TCP connections from the web to the vulnerable host's system on its "high" ports (from 1024 to 65535).

Besides the FTP protocol injection attack, there's reside a decade old security issue in FTP protocol called classic mode FTP – an insecure mechanism of client-server FTP interactions, but many firewall vendors still support it by default.

When a classic mode FTP connection is initiated, the firewall temporarily opens a port – typically between 1024 and 65535 – specified in the PORT command, which introduces security risks.

Using the FTP protocol injection issue in Java and Python, an attacker who knows the targeted host’s internal IP address can start a classic mode FTP connection, which attackers can use for nefarious purposes.

Morgan has determined that an attacker can open up one port in the targeted firewall with only three requests:

Identify the victim's internal IP address – this requires an attacker to "send an URL, see how the client behaves, then try another until the attack is successful."

Determine packet alignment and ensure that the PORT command is injected at the right moment, making the attack work.

Exploit the vulnerability.

Each additional request can be used to open up another TCP port.

Easily Exploitable Protocol Injection Flaw

However, the researcher warned that his exploit could be used for man-in-the-middle (MitM) attacks, server-side request forgery (SSRF), an XEE attack and more – and once bypassed the firewall, desktop hosts can be attacked even if they do not have Java installed.

All an attacker need is to convince victims into accessing a malicious Java or Python applications installed on a server to bypass the entire firewall.

"If a desktop user could be convinced to visit a malicious website while Java is installed, even if Java applets are disabled, they could still trigger Java Web Start to parse a JNLP (Java Network Launch Protocol) file," Morgan said. "These files could contain malicious FTP URLs which trigger this bug."

"Also note, that since Java parses JNLP files before presenting the user with any security warnings, the attack can be entirely successful without any indication to the user (unless the browser itself warns the user about Java Web Start being launched)."

According to Morgan, a nearly identical flaw also exists in Python's urllib2 and urllib libraries, although "this injection appears to be limited to attacks via directory names specified in the URL."

Protocol Injection Flaw Is Still Unpatched

Morgan said the FTP protocol injection flaw was reported to the Python team in January 2016 and Oracle in November 2016 by his company, but neither of the two has issued any update to address the issue.

Morgan has developed a proof-of-concept (PoC) exploit but is currently holding back publication of his exploit until Oracle and Python respond to the disclosure and release patches.

The Morgan's exploit has successfully been tested against Palo Alto Networks and Cisco ASA firewalls, though researchers believe many commercial firewalls are also vulnerable to FTP stream injection attacks.

So until patches become available, Morgan suggests users uninstall Java on their desktops and in browsers, as well as disable support for "classic mode" FTP on all firewalls.

These days botnets are all over the news. In simple terms, a botnet is a group of computers networked together, running a piece of malicious software that allows them to be controlled by a remote attacker.

A major target for most of the malware is still Windows, but the growing market of Mac OS X, Linux and Smartphones, is also giving a solid reason to cyber criminals to focus.

Last year, Zoltan Balazs - CTO at MRG Effitas submitted the samples of malicious Java application for analysis to Kaspersky Lab and they identified it as HEUR:Backdoor.Java.Agent.a.

According to researchers, to compromise computers, Java-Bot is exploiting a previously known critical Java vulnerability CVE-2013-2465 that was patched in last June. The vulnerability persists in Java 7 u21 and earlier versions.

Once the bot has infected a computer, for automatic initialization the malware copies itself into the home directory, and registers itself with system startup programs. The Malware is designed to launch distributed denial-of-service (DDOS) attacks from infected computers.

It uses the following methods to start it based on the target operating system:

The malware authors used Zelix Klassmaster Obfuscator (encryption) to make the analysis more difficult. It creates a separate key for the classes developed due to which analysis of all classes has to be done to get the decryption keys.

The botnet executable contains an encrypted configuration file for the Mac OS 'launchd service'. It also encrypts internal working methodology of malware.

The malware uses PricBot an open framework for implementing communication via IRC. Zombie computers, then report to an Internet relay chat (IRC) channel that acts as a Command-and-control server.

The Botnet supports HTTP, UDP protocols for flooding (DDoS attack) a target whose details i.e. Address, port number, attack duration, number of threads to be used are received from the IRC channel.

Users should update their Java software to the latest release of Java 7 update 51 of 14 January 2014, can be found on Oracle's Java website. The next scheduled security update for Java is on 14 April 2014.

Now, a new zero-day vulnerability has been reported in Oracle’s Java that is reportedly being exploited in the wild by hackers to target government armed forces.

Cybercriminals are actively exploiting the Java-based zero-day flaw in an attempt to target U.S. defense agencies and members of NATO, Trend Micro security researchers warned in a blog post published Sunday.

According to researchers, the vulnerability affects only the latest version of Java, version 1.8.0.45. Though the older Java versions, Java 1.6 and 1.7 are not at all affected by this zero-day exploit.

So far, there isn’t many details disclosed about the Java zero-day bug, considering a patch is yet to be released by Oracle. Although hackers are exploiting the zero-day flaw through drive-by-downloads attack.

Java Zero-Day Exploit in the Wild

Cyber criminals are using email messages to spread the malicious links hosting the Java zero-day exploit. Once clicked, the exploit code delivers a basic Trojan dropper, TROJ_DROPPR.CXC, that drops a payload called TSPY_FAKEMS.C into the "/login user" folder.

From login user folder, the malware executes an arbitrary code on the default Java settings thus compromising the security of the system.

Researchers have also unearthed an attack that leverages a three-year-old Windows vulnerability identified as CVE-2012-015, which Microsoft addressed in Bulletin MS12-027 three years ago.

Operation Pawn Storm APT Group Behind Java 0_day Exploit

The advanced persistent threat (APT) group Operation Pawn Storm are thought to be responsible for the Java zero-day exploit attacking the member of NATO and the US defense organization, but the security firm did not disclose the names where the attack was sighted.

Pawn Storm, a group of hackers specialized in cyber-espionage operation, has been active since 2007 and has also been known by different names, including APT28, Sednit, Fancy Bear, and Tsar Team.

Are You Vulnerable to New Java Zero-Day Exploit?

Oracle developers are working with Trend Micro to develop a fix to patch the issue. Until the patch is rolled out, users are advised to disable Java temporarily in their browser.

Good news, we bring an amazing deal of this month for our readers, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!

A widely disseminated exploit kit popular with hackers has been updated to take advantage of a recently discovered Java vulnerability. Researchers at Microsoft reported last week that it had observed this vulnerability being exploited in the wild. The Java exploit allows attackers to bypass the Java Runtime Environment's sandbox platform to install malicious code remotely.

The malicious Java applet is loaded from an obfuscated HTML file. The Java applet contains two Java class files one Java class file triggers the vulnerability and the other one is a loader class used for loading.

Named CVE-20120-0507, the flaw essentially allows hackers to bypass the Java sandbox, which is a mechanism designed to blunt attacks from malicious code. For its part, the BlackHole exploit kit, available underground, allows users armed with only basic computer knowledge to set up malicious websites to target vulnerable computers through the web browser.

Statistics from vulnerability management firm Rapid7 tell a similar story based on its analysis of the Java patching habits of Internet users. According to the company, the first month after a Java patch is released the fix is deployed by less than 10 percent. After two months, the number jumps to approximately 20 percent. The highest patch rate for Java last year was 38 percent, which represented the percentage who applied the Java Version 6 Update 26 within three months of its release.

According to software giant Oracle, Java is deployed across more than 3 billion systems worldwide. But the truth is that many people who have this powerful program installed simply do not need it, or only need it for very specific uses. I’ve repeatedly encouraged readers to uninstall this program, not only because of the constant updating it requires, but also because there seem to be a never-ending supply of new exploits available for recently-patched or undocumented vulnerabilities in the program.

Oracle has released emergency patches multiple of times in recent months for Java for one after another set of vulnerabilities. About 100 million computers reported to be vulnerable to unauthorized access via different flaw in Java software. Department of Homeland Security's US-CERT already warned users to disable Java permanently to stop hackers from taking control of users' machines.

Security experts advised,'The best defense we have right now for these kinds of attacks is to disable Java in the browser forever'. According to Websense experts, Most browser installations use outdated versions of the Java plug-in that are vulnerable to at least one of several exploits used in popular web attack toolkit. Exploit kits are a very common tool for distribution of many Java-based threats.

To detect the vulnerable Java versions that are installed on systems and Websense experts, used their technology via 'threat intelligence network', which monitors billions of web requests originating from tens of millions systems.

Websense showed that only 5.5% of Java-enabled browsers have the most up-to-date versions of the software. "It is probably no surprise that the largest single exploited vulnerability is the most recent one, with a vulnerable population of browsers at 93.77%." Charles posted at Websense blog.

"Most browsers are vulnerable to a much broader array of well-known Java holes, with over 75% using versions that are at least six months old, nearly two-thirds being more than a year out of date, and more than 50% of browsers are greater than two years behind the times with respect to Java vulnerabilities."

All this doesn't mean that Java is an insecure language or platform, or that web sites built on Java EE are any less secure than other platforms. Unfortunately, perception often beats reality, and Java is getting a big black eye from this one.

The US-based software maker Oracle delivered an unusual out-of-box emergency patch for Java in an effort to fix a during-installation flaw on the Windows platforms.

The successful exploitation of the critical vulnerability, assigned CVE-2016-0603, could allow an attacker to trick an unsuspecting user into visiting a malicious website and downloading files to the victim's system before installing Java 6, 7 or 8.

Although the vulnerability is considered relatively complex to exploit, a successful attack results in "complete compromise" of the target's machine.

What You Need to Know About the Java Exploit

The successful attack requires an attacker to trick a suitably unskilled user for opening a Java release even though the user is nowhere near the Java Website.

Since the existence of the loophole is only during the installation process, users are not required to upgrade their existing Java installations in order to address the vulnerability.

"However, Java users who have downloaded any old version of Java before 6u113, 7u97 or 8u73, should discard these old downloads and replace them with 6u113, 7u97 or 8u73 or later," says Eric Maurice, Oracle security blogger.

Patch Now! Java Update Released

Not much details about the flaw have been known yet, neither Oracle has provided any public information on the nature of the vulnerability.

However, due to the threat posed by a successful attack, we strongly recommend customers to apply the emergency patch as soon as possible.

It’s time to update your Java program as Oracle has released its massive patch package for multiple security vulnerabilities.

The United States software maker Oracle releases its security updates every three months, which it referred to as "Critical Patch Updates" (CPU). Yesterday, Oracle released its second CPU-date of this year providing important updates that include a total of 104 vulnerabilities, the company has announced.

From the overall vulnerabilities, 37 security vulnerabilities impact Java SE and several of these flaws are so serious that it can be remotely exploited by a malicious malware to gain system access and execute arbitrary code with the privileges of a local user.

Successful exploitation also allows an attacker to manipulate certain local data on a system and can cause a DoS attack without the need of authentication credentials, which means the flaws can be exploited over a network without the need for a username and password to crashing an application or an entire system.

In the latest update, the vulnerability has been fixed in the current version of the “Java SE 8 Update 5" and to the newer release "Java SE 7 Update 55".

In addition to the Java SE, vulnerability has been fixed in each affected software product including:

Oracle Database

Fusion Middleware

Access Manager

Containers for J2EE

Data Integrator

Endeca Server

Event Processing

OpenSSO

WebCenter Portal

WebLogic Server

Hyperion Common Admin

E-Business Suite

Agile PLM Framework

Transportation Management

PeopleSoft Enterprise

Java SE, MySQL Server and others

Among the security updates, 4 out of 37 Java vulnerabilities are very serious that have been evaluated in the maximum rating of 10.0 in the CVSS (Common Vulnerability Scoring System) base score of common indicators risk, those must be considered as very critical.

Oracle has released a new patch which kills off a vulnerability in Java 7 that was being exploited by malware developers. "Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible," Eric Maurice, the company's director of software security assurance.

The out-of-band Security Alert CVE-2012-4681 includes fixes for “three distinct but related vulnerabilities and one security-in-depth issue” affecting Java running within the browser.

Users with vulnerable versions of Java installed can have malware silently planted on their systems just by browsing to a hacked or malicious website unknowingly.Java is a free programming language widely used to enable every day programs and website elements to function, including some games, apps and chat, as well as enterprise apps.

The attacks using this vulnerability so far have been Windows-based, the exploit was demonstrated on other platforms supported by Java 7, including OS X systems where the exploit was successfully run in the latest Safari and Firefox browsers in Mountain Lion.

The Java exploit, originally used for targeted attacks, went public last week and began to spread like wildfire after it was added to the popular BlackHole crimeware kit, making it easily accessible to all types of cybercriminals. The patches are emergency, out-of-schedule updates for Oracle. The company was not planning to release security updates for Java until October.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will walk you through the skills and concepts you need to master three elite cybersecurity certification exams: CISA, CISM, and CISSP [...]

Firefox developers searching for a way to protect users against a new attack that decrypts sensitive web traffic are seriously considering an update that stops the open-source browser from working with Oracle's Java software framework.

He went on to say that Firefox already has a mechanism for “soft-blocking” Java that allows users to re-enable the plugin from the browser's addons manager or in response to a dialogue box that appears in certain cases. “Click to play or domain-specific whitelisting will provide some measure of benefit, but I suspect that enough users will whitelist, e.g., facebook that even with those mechanisms (which don't currently exist!) in place, we'd have a lot of users potentially exposed to java weaknesses.”

In order to protect users from an attack that decrypts sensitive web traffic, Firefox developers are looking at an update that stops the browser from working with Oracle's Java. The move would stop Firefox from working with a number of very popular websites. The team is only holding off because of how much such a ban would hurt user experience.The Browser Exploit Against SSL/TLS has earned its BEAST acronym. By injecting JavaScript into an SSL session, it can recover secret information that’s transmitted to a predictable data-stream location. It took researchers Thai Duong and Juliano Rizzo were able to use BEAST to get an encrypted authentication cookie used to access a PayPal account in less than two minutes.

The researchers settled on a Java applet as their means to bypass SOP, leading Firefox developers to discuss blocking the framework in a future version of the browser.

The prospect of Firefox no longer working with Java could cause a variety of serious problems for users, particularly those in large corporations and government organizations that rely on the framework to make their browsers work with virtual private networks, intranet tools.

Google has finally won six-year long $9-billion legal battle with Oracle over the use of Java APIs in Android.

Oracle filed its lawsuit against Google in 2010, claiming that the company illegally used 11,500 lines of Java code in its Android operating system, violating copyrights owned by Oracle.

However, a federal jury of ten people concluded Thursday that Google's use of Java constituted "Fair Use" under US copyright law and delivered a verdict in favor of Google.

The case was a big deal as the court decision could have the potential to change the way future apps are written for the Android operating system that is being used by almost 80% of the world's mobile devices.

Oracle, who owns Java, had been seeking $9 Billion in damages for the use of application programming interfaces (APIs), which govern how code communicates with other bits of code.

However, Google argued that the Java APIs in question were necessary for software innovation, allowing different apps to talk to each other, and, therefore, couldn’t be copyrighted.

Google almost won the initial lawsuit in 2012, but a Federal court reversed the decision in 2014 in Oracle's favor. Google reached out to the US Supreme Court to take the case, but Supreme Court declined to hear Google's appeal.

Now, the verdict that was reached after three days of deliberations marked a victory for Google after the jury found that the company’s use of the code and the structure, sequence, and organization of the Java APIs in the Android was a fair use.

Oracle, of course, said it will appeal to the US Supreme Court.

"We strongly believe that Google developed Android by illegally copying core Java technology to rush into the mobile device market," Oracle lawyer Dorian Daley said in a statement.

"Oracle brought this lawsuit to put a stop to Google's illegal behavior. We believe there are numerous grounds for appeal and we plan to bring this case back to the federal circuit on appeal."

Unsurprisingly, Google called the verdict "a win for the Android ecosystem" as well as for "software developers who rely on open and free programming languages to build innovative consumer products."

Security issues have long tantalized over 850 Million users that have Oracle's Java software installed on their computers. The worst thing is that the software was not fully updated or secure for years, exposing millions of PCs to attack.

And for this reason, Oracle is now paying the price.

Oracle has been accused by the US government of misleading consumers about the security of its Java software.

Oracle is settling with the Federal Trade Commission (FTC) over charges that it "deceived" its customers by failing to warn them about the security upgrades.

Java is a software that comes pre-installed on many computers and helps them run web applications, including online calculators, chatrooms, games, and even 3D image viewing.

Oracle Left Over 850 Million PCs at Risk

The FTC has issued a press release that says it has won concessions in a settlement with Oracle over its failure to uninstall older and insecure Java SE software from customer PCs upon the upgrade process, which left up to 850 Million PCs susceptible to hacking attacks.

However, the company was only upgrading the most recent version of the software and ignoring the older versions that were often chock full of security loopholes that could be exploited by hackers in order to hack a targeted PC.

Oracle is Now Paying the Price

So, under the terms of the settlement with Oracle, announced by the FTC on Monday, Oracle is required to:

Notify Java customers about the issue via Twitter, Facebook, and its official website

Provide tools and instructions on how to remove older versions of Java software

Oracle has agreed to the settlement that is now subject to public comment for 30 days, although Oracle declined to comment on its part.

Meanwhile, the FTC wants Java users to know that if they have older versions of the software. Here is the website that will help you remove them: java.com/uninstall.

Hackers are using a new exploit for a bug in the out-of-date but popular Java 6 platform to attack victims, and has been added to a commercially available Neutrino exploit kit.

The use of Java 6 still is prevalent, opening up a significant number of users to the threat. F-secure analyst Timo Hirvonen warned about the exploit over Twitter, advising that he had found an exploit in the wild actively targeting an unpatched vulnerability in Java 6, named CVE-2013-2463.

The exploit's proof-of-concept was made public last week, prior to in-the-wild attacks surfacing on Monday. Oracle is aware of the hole but, since Java 6 is no longer supported, the company will not patch the issue.

The vulnerability lies in Java Runtime Environment's 2D sub-component, which is used to make two-dimensional graphics. Because no patch is available, the exploits provides cybercriminals and other attackers an effective vehicle to launch attacks targeting users and organizations using Java 6.

The Neutrino crimeware kit was first spotted in March 2013, when it was identified as the source of a series of attacks that were exploiting Java vulnerabilities to install ransomware on victims' PCs, freezing them until users paid a fine that was supposedly being levied by the FBI and other law enforcement agencies.

The impact of this threat may be less for usual Internet users than for organizations/entities, who may not be quick to migrate to the latest software version due to business and/or operational continuity issues.

Users should update their Java installations to the latest revision of version 7, which does not suffer from the issue. Users who don’t need Java in their everyday tasks should uninstall the software altogether.

Do you still have Java installed? There is a bad news for you ! FireEye has detected yet another Java zero-day vulnerability being exploited in attacks in the wild.

The vulnerability targets browsers that have the latest version of the Java plugin installed Java v1.6 Update 41 and Java v1.7 Update 15 and FireEye warned that thevulnerability is being exploited to install a remote-access trojan dubbed McRat, researchers from security firm.

"Not like other popular Java vulnerabilities in which security manager can be disabled easily, this vulnerability leads to arbitrary memory read and write in JVM process,"

"After triggering the vulnerability, exploit is looking for the memory which holds JVM internal data structure like if security manager is enabled or not, and then overwrites the chunk of memory as zero."

The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month.

It is not known if this particular Java vulnerability is on Windows only or on Linux and Mac OS X, too. However, McRat is a Windows Trojan so the in-the-wild attacks are specifically targeting Windows users.

If you don't want any chance of being infected, the best thing to do is uninstall Java altogether.

Oracle delivered an unusual emergency patch to Java's critical Zero Day vulnerability on Sunday to fix a malicious bug that allowed hackers access to users web browsers. Exploits for the previously undisclosed flaw were being hosted in a number of exploit kits and attacks have already been seen in the wild dropping ransomware and assorted other malware.

Security Alert CVE-2013-0422 include two vulnerabilities that are remotely executable. Oracle confirmed that the flaws were only present in Java 7 versions and did not impact Java on servers, Java desktop applications, or embedded Java.

Java is used in 3 billion machines, about 2 billion of which are desktop or laptop computers. Similarly, Back in August last year, Oracle issued an urgent fix to seal a dangerous security flaw within its Java software that’s left thousands of computers wide open to malicious attacks from hackers.

Lamar Bailey, director of security research and development for nCircle said, “We’re just two weeks into 2013 and already we’ve seen a surge of critical vulnerabilities and emergency patches. Oracle just added 86 new fixes to overloaded IT teams already struggling to keep up with emergency patches for Java, Internet Explorer and Ruby on Rails.No matter how far behind IT teams are, they can’t afford to ignore this massive Oracle patch. Oracle Mobile Server has two CVEs that have a CVSS score of ten, that’s as bad as it gets. There are also two MySQL vulnerabilities that can be exploited remotely. All of these should be patched as soon as possible.”

January Patch include 86 security updates across all major product lines including Oracle Database and MySQL Server. Patches for a number of Oracle applications were released Tuesday, including nine for Oracle E-Business Suite (7 of which are remotely exploitable), 12 in Oracle PeopleSoft (7 remotely exploitable), 10 in Oracle Siebel CRM (5 remotely exploitable), and one each in Oracle Supply Chain Products Suite and Oracle JD Edwards Products.

Once again a zero day vulnerability exploit is sold by cyber criminals in the underground, once again a the flaw is related to Oracle’s Java software that could allow to gain remote control over victim's machine.

The news has been reported by KrebsOnSecurity blog that announced that the exploit being sold on an Underweb forum.

The vulnerability is related to the most recent version of Java JRE 7 Update 9, it isn't present in previous versions of the framework, in particular the bug resides within the Java class “MidiDevice according the info provided by the seller that describes it with following statements:

“Code execution is very reliable, worked on all 7 version I tested with Firefox and MSIE on Windows 7,”

“I will only sell this ONE TIME and I leave no guarantee that it will not be patched so use it quickly.”

The exploited class is a component of Java that handles audio input and output.

It's easy to understand that similar vulnerability has a great value due the large diffusion of the application and the possibility to infect multiple OSs.

It's has discussed in several occasions the business born around zero-day exploit marketing, in many cases the knowledge on unknown vulnerability could be sold for hundreds of thousand dollars and the factor “Time” is essential because the information must be sold before the producers of compromised application will patch it causing the annulling for the value of the vulnerability.

This time the seller is expecting a conspicuous gain at “five digits”, and claims seem to be in line with the actual market price for a similar vulnerability.

Mitigate the attacks is very hard, the framework is installed on 3 billion devices according Oracle and it must be considered also that Java JRE is multi-platform application and that today Java component is installed on the majority of web site.

Waiting for a patch the popular blog suggests to adopt two browsers for navigation, one to use when visit those web sites that require Java, another for ordinary web navigation taking care to disable Java plugin and add-in.

We just have to hope that these exploits do not end up in the wrong hands, it could be very dangerous!

Apple has discontinued its own Java plugin, issuing an 'update' that removes it from MacOS and encourages users to instead download Oracle's version of the software. Its another step by Apple towards making OS X safer on the web.

Mac users may have noticed that Java-based websites are displaying a "Missing Plug-in" notification. The Apple Support page states that this update is for OS X 10.7 and later. Apart from stripping browsers of the Java plug-in, it also removes the Java Preferences application, since it is no longer required for applet setting configuration. Just to be clear, the update does not remove Java from your system if its installed, just the Java plugin from your web browsers.

In August, Java was blasted as an unsafe plug-in that should only be used when absolutely necessary after a zero-day exploit was discovered, rolled into the user-friendly Blackhole exploit kit and used for nearly a week before Oracle issued a patch. That patch, however, also proved to be full of security bugs.

In April this year, Apple came under the scanner for Flashback malware that threatened OS X users by exploiting a vulnerability in Java. Dubbed as a BackDoor.Flashback.39 Trojan, the virus attacked over half-a-million computers.

Google appears to be no longer using Java application programming interfaces (APIs) from Oracle in future versions of its Android mobile operating system, and switching to an open source alternative instead.

Google will be making use of OpenJDK – an open source version of Oracle’s Java Development Kit (JDK) – for future Android builds.

This was first highlighted by a "mysterious Android codebase commit"submitted to Hacker News. However, Google confirmed to VentureBeat that the upcoming Android N will use OpenJDK, rather its own implementation of the Java APIs.

Google and Oracle have been fighting it out for years in a lawsuit, and it is hard to imagine that such a massive change is not related to the search engine giant's ongoing legal dispute with Oracle, however.

What Google and Oracle are Fighting About

The dispute started when Oracle sued Google for copyright in 2010, claiming that Google improperly used a part of its programming language called Java APIs and baked them into its Android mobile OS.

However, Google argued that the Java APIs in question were necessary for software innovation, allowing different applications to talk to each other, and, therefore, could not be copyrighted.

Google almost won the initial lawsuit in 2012, but a Federal court mostly reversed the decision in 2014 in Oracle's favor. Google reached out to the US Supreme Court to take the case, but Supreme Court declined to hear Google's appeal.

The final decision is yet to be made, but one possibility could be that the company will be prohibited from using the copyrighted APIs.

However, OpenJDK, the alternative to Java APIs, is still controlled by Oracle, but at least, Google is legally cleared to implement it.

As for how this new change in Android affects you and me, the new code should make it somewhat easier for Android N developers, perhaps resulting in better apps and quicker updates.

Takashi Katsuki, a researcher at Antivirus firm Symantec has discovered a new cyber attack ongoing in the wild, targeting an open-source Web server application server Apache Tomcat with a cross platform Java based backdoor that can be used to attack other machines.

The malware, dubbed as "Java.Tomdep" differs from other server malware and is not written in the PHP scripting language. It is basically a Java based backdoor act as Java Servlet that gives Apache Tomcat platforms malicious capabilities.

Because Java is a cross platform language, the affected platforms include Linux, Mac OS X, Solaris, and most supported versions of Windows. The malware was detected less than a month ago and so far the number of infected machines appears to be low.

You may think that this type of attack only targets personal computers, such as desktops and laptops, but unfortunately that isn’t true. Servers can also be attacked. They are quite valuable targets, since they are usually high-performance computers and run 24x7.

Java worm seeks out for the system having Apache Tomcat installed-running and then attempts to log-in using the password brute-force attack using combinations of user names and passwords.

After installation, the malware servlet behaves like an IRC Bot and able to receive commands from an attacker. Malware is capable of sending-downloading files from the system, create new processes, update itself, can setup SOCKS proxy, UDP flooding i.e. Can perform massive DDoS Attack.

They have mentioned that the command-and-control servers have been traced to Taiwan and Luxembourg. In order to avoid this threat, ensure that your server and AV products are fully patched and updated.

Founder and CEO of Security Explorations of Poland, Adam Gowdiak has reported a new unpatched security vulnerability in JAVA that affects all Java versions, including 7u21 released last Tuesday.

Gowdiak claims to have sent to Oracle a report about a reflection API vulnerability in the newly shipped Server Java Runtime Environment (JRE), notifying them of the new security weakness. “It can be used to achieve a complete Java security sandbox bypass on a target system,”

Vulnerability allows attackers to completely bypass the language's sandbox to access the underlying system. Gowdiak has not published any further details about the vulnerability in order to give Oracle time to patch the problem.

According to Oracle, “39 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password”

He first reported vulnerabilities in the Reflection API a year ago, and he said that this vulnerability is present in the server versions of the Java Runtime Environment, as well as in the JRE Plugin and JDK software.